b'National Aeronautics and\nSpace Administration\n\nOffice of Inspector General\nWashington, DC 20546-0001\n\n\n\n\n                                                  February 4, 2010\n\n\nThe Honorable Barbara A. Mikulski\nChairman\nSubcommittee on Commerce, Justice, Science, and Related Agencies\nCommittee on Appropriations\nUnited States Senate\nWashington, D.C. 20510\n\nSubject: NASA\xe2\x80\x99s Compliance with Federal Export Control Laws and Risks Associated with\n         the Illegal Transfer or Theft of Sensitive Technologies\n         (Report No. IG-10-007)\n\nDear Madame Chairman:\n\nThis letter responds to Public Law 106-391, \xe2\x80\x9cNational Aeronautics and Space\nAdministration Authorization Act of 2000,\xe2\x80\x9d that directs the NASA Inspector General to\nconduct an annual audit of NASA policies and procedures with respect to the export of\ntechnologies and the transfer of scientific and technical information (STI) and the extent to\nwhich NASA is carrying out its activities in compliance with Federal export control laws\nand other reporting requirements. In addition, Conference Report 108-401, which\naccompanied H.R. 2673, the \xe2\x80\x9cConsolidated Appropriations Act, 2004,\xe2\x80\x9d directed that NASA\nand the NASA Inspector General work together and report annually on the risks associated\nwith the illegal transfer or theft of sensitive technologies from NASA.\n\nDuring the past year, the NASA Office of Inspector General (OIG) continued to work\nclosely with NASA\xe2\x80\x99s Office of the Chief Information Officer (OCIO), Office of Protective\nServices (OPS), Office of the General Counsel, and Office of External Relations to identify\nand reduce the risks associated with the illegal transfer or theft of sensitive technologies and\nensure NASA\xe2\x80\x99s compliance with Federal export control laws. We remain committed to\nensuring that incidents of stolen or compromised sensitive data and technology receive\nimmediate action and that the individuals found responsible are held accountable. We also\ncontinue to work with OCIO and OPS to address related counter-intelligence and counter-\nterrorism issues.\n\nDuring the past year, the OIG has conducted a series of audits, investigations, and reviews to\nmeet its requirements in this area. This letter provides summary information about our\nwork. We will continue to provide you copies of each OIG product and will be pleased to\ndiscuss any of these reports with you or your staff.\n\x0c                                                                                          2\n\n\n\nOIG Assessment of NASA\xe2\x80\x99s IT Security Program\n\nFor fiscal years (FY) 2006 and 2007, NASA has reported IT security as a material weakness\nin the Administrator\xe2\x80\x99s annual Statement of Assurance. During this period, NASA\nimplemented various solutions in an attempt to improve its IT security. These solutions\nhave resulted in continued incremental improvements across NASA\xe2\x80\x99s IT infrastructure;\nhowever, several significant challenges remain. Specifically, not all solutions have been\nfully implemented and continued breaches of NASA computer systems have resulted in the\ntheft of sensitive data related to Agency programs, which adversely affected NASA\xe2\x80\x99s\nmission and resulted in millions of dollars in losses.\n\nThe Agency reported in FYs 2008 and 2009 that it had taken steps to prevent future\nbreaches of its computer systems by making progress on two key IT security initiatives.\nFirst, the Cyber Threat Analysis Program proactively detects intrusions into NASA\xe2\x80\x99s cyber\nassets. The program includes threat analysis, identification, and reporting as well as\nadvanced data forensics. Second, the Security Operations Center (SOC) project consolidates\nAgency security operations and incident response capabilities for NASA computer networks\nand systems. When fully operational in April 2010, NASA expects the SOC to provide end-\nto-end visibility and real-time monitoring of its computer networks and systems.\n\nIn addition, the Agency reported making significant progress in implementing corrective\nactions related to IT security weaknesses identified by the OCIO\xe2\x80\x99s comprehensive IT\nsecurity assessment as well as meeting its annual requirements under the Federal\nInformation Security Management Act (FISMA). The requirements include providing an\noverall view of the Agency\xe2\x80\x99s security and privacy program to the Office of Management and\nBudget.\n\nBased on the Agency\xe2\x80\x99s reported progress in improving IT security, the OCIO concluded in\n2008 that IT security no longer needed to be reported as a material weakness in the\nAdministrator\xe2\x80\x99s annual Statement of Assurance, provided certain conditions were met.\nThese conditions included substantiated progress in implementing corrective actions related\nto IT security weaknesses, full implementation of the SOC, and favorable results from\nregular security compliance reviews.\n\nThe OIG performed a limited review in 2008 to independently assess NASA\xe2\x80\x99s actions to\nimprove IT security. We found that NASA had closed 91 percent of the OIG\nrecommendations to improve IT security in FYs 2005 through 2007, established the Cyber\nThreat Analysis Program, completed planning for the SOC, and improved compliance with\nFISMA requirements for its systems to be certified and accredited.\n\nBased on our limited review, we agreed with the OCIO\xe2\x80\x99s conclusion that IT security need no\nlonger be reported as a material weakness. However, the threat to NASA\xe2\x80\x99s computer\nnetworks and systems is tangible and evolving, both in scope and sophistication. Therefore,\nwe included IT security in our November 2009 report identifying \xe2\x80\x9cNASA\xe2\x80\x99s Most Serious\n\x0c                                                                                                   3\n\n\nManagement and Performance Challenges\xe2\x80\x9d to ensure that the necessary attention and\nresources are directed toward fully implementing a reliable IT security program.\n\nOn January 5, 2009, the Office of External Relations announced its annual audit of the\nNASA Export Control Program (ECP) to be conducted at each Center. The purpose of this\naudit \xe2\x80\x9cis to ensure adequacy of the overall NASA ECP; to verify, via sampling, that required\nscreening and licensing procedures are regularly followed; and to confirm that required\ndocuments are maintained in compliance with the requirements of the EAR [Export\nAdministration Regulations] and the ITAR [International Traffic in Arms Regulations].\xe2\x80\x9d\nThe ECP audits, which were completed between January and March 2009, found overall\ncompliance with NASA\xe2\x80\x99s ECP and export control regulations. While common weaknesses\nwere identified in the area of training and specific instances of failure to adhere to\nestablished procedures, none of these weaknesses appear to have resulted in reportable\nviolations of ITAR or EAR.\n\nOIG Products Issued in FYs 2008 and 2009\n\nSince our previous letter to you in July 2008, we issued five products that directly or\nindirectly related to assessing risks associated with the illegal transfer or theft of sensitive\ntechnologies. These products identified systemic issues related to a lack of consistent\napplication of, or noncompliance with, established policies and regulations that could place\nNASA\xe2\x80\x99s export-controlled technologies and data at risk of being stolen or compromised.\n\n\xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2008 Report from the\nOffice of Inspector General\xe2\x80\x9d (Report No. IG-08-031, September 30, 2008) Sensitive But\nUnclassified \xe2\x80\x93 Not for Public Release\n\nFISMA requires agencies to report annually on the effectiveness of their IT security and\nprivacy programs and requires Inspectors General to perform independent evaluations of\nthese agency programs. We reviewed system security certification and accreditation (C&A)\ndocumentation for a representative sample of NASA\xe2\x80\x99s non-national security systems. We\nfound that all 39 Agency systems in our sample met FISMA requirements for system C&A.\nHowever, only 3 of the 6 external (contractor) systems in our sample complied with system\nC&A requirements. We also found that NASA could improve its processes for remediating\nidentified IT security weaknesses. For example, plans of action and milestones (POA&Ms)\nwere not always created to address known IT security weaknesses. In addition, when\nPOA&Ms were developed, the Agency did not have an effective process for monitoring\nprogress on POA&M activities. Our review found that NASA needed to improve its\nPOA&M process and strengthen oversight of external systems in accordance with FISMA.\n\n\xe2\x80\x9cNASA\xe2\x80\x99s Processes for Providing Personal Identity Verification (PIV) Cards Were Not\nCompletely Effective in Meeting Federal Requirements\xe2\x80\x9d (Report No. IG-09-015,\nApril 27, 2009) Available on the Internet\n\nWe evaluated the adequacy of processes put in place by NASA to prevent unauthorized\naccess to Agency facilities, computer systems, and data. Specifically, we examined whether\n\x0c                                                                                              4\n\n\nNASA\xe2\x80\x99s process for issuing employee and contractor personal identity verification (PIV)\ncards complied with Homeland Security Presidential Directive 12, \xe2\x80\x9cPolicy for a Common\nIdentification Standard for Federal Employees and Contractors.\xe2\x80\x9d We found that NASA\nissued more than 70,000 PIV cards to staff and contractors from a non-accredited PIV card\nissuer. We also found that NASA did not ensure that staff with PIV card responsibilities\nreceived the training needed to competently perform their duties. Although these conditions\nincreased the likelihood of issuing PIV cards to unauthorized individuals, we did not\nidentify any instances of this occurring. We recommended that NASA take steps to ensure\nthat PIV cards are issued only from accredited card issuers; individuals receive training\nappropriate to their PIV card role; and NASA computer systems that support the PIV card\nprocess be developed in accordance with Agency guidance. Management concurred with\nour recommendations and their proposed actions were responsive.\n\n\xe2\x80\x9cImprovements Needed in NASA\xe2\x80\x99s Oversight and Monitoring of Small Business\nContractor Transfers of Export-Controlled Technologies\xe2\x80\x9d (Report No. IG-09-018, July\n14, 2009) Available on the Internet\n\nTo determine whether NASA maintained effective oversight and monitoring of contractor\ntransfers of critical technologies and technical information to foreign nationals and countries\nof concern, we reviewed 13 contracts from 10 contractors: 4 large corporations,\n2 universities, and 4 small companies with either Small Business Innovation Research\n(SBIR) or Small Business Technology Transfer (STTR) contracts. We found that NASA\ncould improve its oversight and monitoring of small business contractor transfers of critical\ntechnology and technical information. Although the large corporations and universities we\nreviewed generally had adequate procedures to protect export-controlled technology from\nillegal transfer, the procedures at the small business contractors did not adequately protect\nexport-controlled technology. Specifically, we found a lack of awareness of export control\nregulations among small business contractors and small business procurement personnel.\nAs a result, small business contractors are at increased risk of improperly releasing critical\ntechnology and technical information. We recommended that NASA monitor policy as\nimplemented at other Federal agencies and amend its policy to incorporate the best\npractices; require contracting officers to monitor and oversee contractors\xe2\x80\x99 compliance with\nexport control regulations; and expand its export control outreach efforts to include\npersonnel involved in administration of SBIR/STTR contracts and small business\ncontractors. Management\xe2\x80\x99s planned corrective actions were responsive to our\nrecommendations.\n\n\xe2\x80\x9cFinal Memorandum on the Audit of the Reporting of NASA\xe2\x80\x99s National Security\nSystems\xe2\x80\x9d (Report No. IG-09-024, August 28, 2009) Sensitive But Unclassified \xe2\x80\x93 Not for\nPublic Release\n\nWe evaluated the adequacy of NASA\xe2\x80\x99s process for certifying and accrediting its national\nsecurity (classified) IT systems and determined that the process generally provided adequate\ninformation security protection. However, we found some systems lacked appropriate C&A\ndocumentation, which NASA subsequently has addressed. All of the report\nrecommendations are resolved or closed.\n\x0c                                                                                                    5\n\n\n\n\xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2009 Report from the\nOffice of Inspector General\xe2\x80\x9d (Report No. IG-10-001; November 10, 2009) Sensitive But\nUnclassified \xe2\x80\x93 Not for Public Release\n\nWe conducted our annual review of the Agency\xe2\x80\x99s compliance with FISMA and Agency\nprivacy management requirements and provided the results to the Office of Management\nand Budget in November 2009. This review examined systems from all 10 NASA Centers,\nNASA Headquarters, and the NASA Shared Services Center to evaluate NASA\xe2\x80\x99s\ncompliance with FISMA and Agency privacy management requirements. Overall, we found\nthe Agency complied with privacy management requirements, although we identified\ninternal control weaknesses related to the Plan of Action and Milestones process, operating\nsystem configuration management, security controls testing, and contingency plan testing.\nIn addition, we found that oversight for external systems could be improved.\n\nIncident Reports and Referrals\n\nThe synopses below concern incidents either investigated by us or issues brought to our\nattention that involved the loss, theft, or inappropriate release of sensitive data that resulted\nin the filing of police reports, inter/intra-agency notifications, or formal referrals to NASA\nmanagement for action.\n\nLoss of NASA Laptop that Contained Sensitive Information (August 2008)\n\nA NASA employee lost a laptop containing sensitive data on the Avionics System for the\nAtlas V. The employee filed a report with NASA detailing the circumstances under which\nthe laptop was lost and also filed a report with the local police department.\n\nRelease of an Unmarked Export-Controlled Document to the Internet\n(September 2008)\n\nA NASA contract employee doing routine research on the Internet found an unmarked\nexport-controlled document that contained SBU information on the Upper Stage Program of\nAres I. The contractor notified the appropriate Center\xe2\x80\x99s export control office of the\ndocument discovery. In addition, the contractor conducted an internal investigation to\ndetermine the extent and scope of this violation and concluded that the unauthorized release\nof this document was not the result of any action on its part and that the release of this\ndocument had no impact on national security.\n\nComputer Compromises and Theft of Export Restricted Data from the Jet Propulsion\nLaboratory (January 2009)\n\nThe OIG notified the Agency of systemic IT deficiencies discovered during the course of an\ninvestigation into unlawful computer intrusions at the Jet Propulsion Laboratory (JPL). The\nOIG determined that the intrusion resulted in the theft of approximately 22 gigabytes of\nprogram data, which was illegally transferred to an Internet Protocol (IP) address in China;\n\x0c                                                                                                6\n\n\nthat the stolen data included information protected under ITAR and EAR; and that a\nsignificant contributing factor to the loss was inadequate security settings at JPL, which\nallowed the intruder access to a wide range of sensitive data. In a memorandum\nsummarizing our findings, we recommended that NASA immediately assess JPL\xe2\x80\x99s IT\nsecurity to ensure that JPL\xe2\x80\x99s systems comply with IT security standards. We also\nrecommended that the Agency ensure that all reporting requirements regarding the loss of\nITAR and EAR data were met in connection with this incident, and recommended the\nAgency take this incident into account when assessing contract performance. NASA\nHeadquarters officials responded that they had discussed the matter at length with JPL and\napproved a corrective action plan to address our findings and recommendations.\n\nStolen NASA Laptop that Contained Sensitive and Export-Controlled Information\n(June 2009)\n\nIn June 2009, a NASA laptop was stolen from an employee\xe2\x80\x99s locked rental car in San\nFrancisco, California. The laptop contained SBU and ITAR data pertaining to the Ares I. A\npolice report was filed and specifics about the stolen laptop were entered in the National\nCrime Information Center and the National Stolen Computer registry. The applicable\nCenter\xe2\x80\x99s Protective Services Office is conducting a damage assessment relative to the loss\nand possible compromise of the SBU and ITAR information on the laptop.\n\nStolen NASA Employee\xe2\x80\x99s Suitcase Contained ITAR Material (June 2009)\n\nIn June 2009, the Office of External Relations reported to the Department of State that a\nNASA employee had a suitcase stolen at the Seattle, Washington, Sea-Tac Airport that\ncontained ITAR material. The suitcase contained a hardcopy set of detailed drawings (more\nthan 700 pages) of a model of the Orion Launch Abort Vehicle and two disk drives with a\nvariety of files containing detailed information about the Orion Crew Exploration Vehicle.\nThe files on the disk drives were encrypted. A police report was filed and authorities were\ntracking the use of a credit card also contained in the suitcase.\n\nAssignments in Progress\n\nThe OIG is conducting several computer intrusion investigations involving NASA systems\ncontaining technical data covered by ITAR or EAR. This work includes multi-Agency\ninvestigations involving hackers in Italy, Portugal, Sweden, Russia, and China. We are also\nconducting other investigations involving the potentially unlawful disclosure of sensitive\ninformation covered by ITAR or EAR. In all of these investigations, we continue to work\nwith law enforcement agencies and NASA officials to identify and remedy systemic\nweaknesses that allow for network intrusions by outsiders and unauthorized disclosures by\nNASA civilian and contract employees.\n\nAdditionally, the OIG is currently conducting an audit related to the transfer, control, and\nprotection of critical technology and sensitive data. The results of this audit should assist\nNASA in determining the extent to which it is in compliance with Federal export control\nlaws and other reporting requirements. In addition, the OIG is examining the effectiveness\n\x0c                                                                                             7\n\n\nof NASA\xe2\x80\x99s management, operational, and technical controls for ensuring the confidentiality,\nintegrity, and availability of data from NASA\xe2\x80\x99s Enterprise Document Management System.\n\nPlanned OIG Projects\n\nFor FY 2010, the OIG is planning an audit examining NASA\xe2\x80\x99s compliance with export\ncontrol laws and regulations and the protection of scientific and technical information from\nillegal transfer. Specifically, this audit will include an assessment of the identification and\ndisposition of export-controlled property associated with the Space Shuttle Program. As\nNASA winds down the Space Shuttle Program, the protection of sensitive technologies will\nbecome even more critical to national security and the safety of NASA missions. As the\nSpace Shuttle Program draws to a conclusion, we plan to not only focus on the disposition of\nSpace Shuttle Program assets but also ensure that controls are in place to provide adequate\nassurance that sensitive technologies of next-generation efforts are protected from loss or\ntheft.\nIf you or your staff would like to meet with us to discuss any of the issues addressed in this\nletter, please contact Debra Pettitt, Acting Assistant Inspector General for Auditing, at (202)\n358-3725.\n\nSincerely,\n\n       signed\n\nPaul K. Martin\nInspector General\n\ncc:   Charles F. Bolden, Jr.\n      NASA Administrator\n\n      William B. Waits\n      Deputy Assistant Administrator, Office of Security and Program Protection\n\n      Jerry Davis\n      Deputy Chief Information Officer for Information Technology Security\n\n      John F. Hall Director\n      Export Control and Interagency Liaison Division/\n\x0c                                                                         8\n\n\n\nIdentical letter to:\n      The Honorable Richard Shelby\n      Ranking Member\n      Subcommittee on Commerce, Justice, Science, and Related Agencies\n      Committee on Appropriations\n      United States Senate\n\n     The Honorable Bill Nelson\n     Chairman\n     Subcommittee on Science and Space\n     Committee on Commerce, Science, and Transportation\n     United States Senate\n\n     The Honorable David Vitter\n     Ranking Member\n     Subcommittee on Science and Space\n     Committee on Commerce, Science, and Transportation\n     United States Senate\n\n     The Honorable Joseph I. Lieberman\n     Chairman\n     Committee on Homeland Security and Governmental Affairs\n     United States Senate\n\n     The Honorable Susan M. Collins\n     Ranking Member\n     Committee on Homeland Security and Governmental Affairs\n     United States Senate\n\n     The Honorable Alan B. Mollohan\n     Chairman\n     Subcommittee on Commerce, Justice, Science, and Related Agencies\n     Committee on Appropriations\n     House of Representatives\n\n     The Honorable Frank R. Wolf\n     Ranking Member\n     Subcommittee on Commerce, Justice, Science, and Related Agencies\n     Committee on Appropriations\n     House of Representatives\n\n     The Honorable Edolphus Towns\n     Chairman\n     Committee on Oversight and Government Reform\n     House of Representatives\n\x0c                                               9\n\n\nThe Honorable Darrell Issa\nRanking Member\nCommittee on Oversight and Government Reform\nHouse of Representatives\n\nThe Honorable Gabrielle Giffords\nChairman\nSubcommittee on Space and Aeronautics\nCommittee on Science and Technology\nHouse of Representatives\n\nThe Honorable Pete Olson\nRanking Member\nSubcommittee on Space and Aeronautics\nCommittee on Science and Technology\nHouse of Representatives\n\x0c'